Block Cipher Modes of Operation
1
Modes of Operation
Initialize Vector (IV)
A block of bits to randomize the encryption and hence to produce
distinct ciphertext
Nonce : Number (used) Once
Random of psuedorandom number to ensure that past
communications can not be reused in replay attacks
Some also refer to initialize vector as nonce
Padding
Final block may require a padding to fit a block size
2
Modes of Operation
Current well-known modes of operation
3
Electronic Codebook Book (ECB)
Message is broken into independent blocks which are
encrypted
Each block is encoded independently of the other blocks
Ci = EK (Pi)
Uses: secure transmission of single values
4
ECB Scheme
5
Remarks on ECB
Strength: it’s simple.
Weakness:
Repetitive information contained in the plaintext may show in the
ciphertext, if aligned with blocks.
If the same message is encrypted (with the same key) and sent
twice, their ciphertext are the same.
Typical application:
secure transmission of short pieces of information (e.g. a
temporary encryption key)
6
Cipher Block Chaining (CBC)
Solve security deficiencies in ECB
Repeated same plaintext block result different ciphertext block
Each previous cipher blocks is chained to be input with
current plaintext block, hence name
Use Initial Vector (IV) to start process
Ci = EK (Pi XOR Ci-1)
C0 = IV
Uses: bulk data encryption, authentication
7
Cipher Block Chaining (CBC)
8
Remarks on CBC
The encryption of a block depends on current and all
blocks before it.
So, repeated plaintext blocks are encrypted differently.
Initialization Vector (IV)
May sent encrypted in ECB mode before the rest of
ciphertext
9
Cipher FeedBack (CFB)
Use Initial Vector to start process
Encrypt previous ciphertext, then combined with the plaintext block
using X-OR to produce the current ciphertext
Cipher is fed back (hence name) to concatenate with the rest of IV
Plaintext is treated as a stream of bits
Any number of bit (1, 8 or 64 or whatever) to be feed back (denoted CFB-1,
CFB-8, CFB-64)
Relation between plaintext and ciphertext
Ci = Pi XOR SelectLeft(EK (ShiftLeft(Ci-1)))
C0 = IV
Uses: stream data encryption, authentication
10
Cipher FeedBack (CFB)
11
Cipher FeedBack (CFB)
CFB as a Stream Cipher
In CFB mode, encipherment and decipherment use the
encryption function of the underlying block cipher.
Remark on CFB
The block cipher is used as a stream cipher.
• enable to encrypt any number of bits e.g. single bits or single
characters (bytes)
• S=1 : bit stream cipher
• S=8 : character stream cipher)
A ciphertext segment depends on the current and all preceding
plaintext segments.
A corrupted ciphertext segment during transmission will affect the
current and next several plaintext segments.
Output FeedBack (OFB)
Very similar to CFB
But output of the encryption function output of cipher is fed
back (hence name), instead of ciphertext
Feedback is independent of message
Relation between plaintext and ciphertext
Ci = Pi XOR Oi
Oi = EK (Oi-1)
O0 = IV
Uses: stream encryption over noisy channels
15
CFB V.S. OFB
Cipher Feedback
Output Feedback
16
OFB Scheme
17
OFB Encryption and Decryption
OFB as a Stream Cipher
In OFB mode, encipherment and decipherment use the encryption
function of the underlying block cipher.
Remarks on OFB
Each bit in the ciphertext is independent of the previous bit or
bits. This avoids error propagation
Pre-compute of forward cipher is possible
Security issue
when jth plaintext is known, the jth output of the forward
cipher function will be known
Easily cover jth plaintext block of other message with the
same IV
Require that the IV is a nonce
20
Counter (CTR)
Encrypts counter value with the key rather than any feedback value
(no feedback)
Counter for each plaintext will be different
can be any function which produces a sequence which is
guaranteed not to repeat for a long time
Relation
Ci = Pi XOR Oi
Oi = EK (i)
Uses: high-speed network encryptions
CTR Scheme
CTR Encryption and Decryption
Counter (CTR)
Remark on CTR
Strengthes:
Needs only the encryption algorithm
Random access to encrypted data blocks
blocks can be processed (encrypted or decrypted) in parallel
Simple; fast encryption/decryption
Counter must be
Must be unknown and unpredictable
pseudo-randomness in the key stream is a goal
25
Remark on each mode
Basically two types:
Block cipher
Stream cipher
CBC is an excellent block cipher
CFB, OFB, and CTR are stream ciphers
CTR is faster because simpler and it allows parallel processing
Modes and IV
An IV has different security requirements than a key
Generally, an IV will not be reused under the same key
CBC and CFB
Reusing an IV leaks some information about the first block
of plaintext, and about any common prefix shared by the two
messages
OFB and CTR
Reusing an IV completely destroys security
27
CBC and CTR comparison
CBC CTR
Padding needed No padding
No parallel processing Parallel processing
Separate encryption and Encryption function alone is
decryption functions enough
Random IV or a nonce Unique nonce
Nonce reuse leaks some Nonce reuse will leak
information about initial information about the entire
plaintext block message
28
Comparison of Different Modes
29
Comparison of Modes
Mode Description Application
ECB 64-bit plaintext block encoded Secure transmission
separately of encryption key
CBC 64-bit plaintext blocks are Commonly used
XORed with preceding 64-bit method. Used for
ciphertext authentication
CFB s bits are processed at a time and Primary stream
used similar to CBC cipher. Used for
authentication
30
Comparison of Modes
Mode Description Application
OFB Similar to CFB except that Stream cipher well suited
the output is fed back for transmission over
noisy channels
CTR Key calculated using the General purpose block
nonce and the counter value. oriented transmission.
Counter is incremented for Used for high-speed
each block communications
31